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(g) Hardware arrangement for enciphering bit blocks while renewing a key at each iteration. 



@ A plaintext is enciphered using a plurality of stages in tandem via a plurality of iterations. Each of the 
stages is arranged to perfonm a complex key-dependent computation. The stage includes a memory for 
storing a key. A cipher functton circuit transposes, using the key, one block applied to the stage from a 
preceding stage. An exdusive-or circuit implements an exclusive- or operation of the output of the 
cipher fiinctk>n and the other block applied to the stage from the preceding stage. A unique 
anrangement is provkJed for transposing the output of the cipher function circuit and then applying the 
output thereof to the memory. Therefore, the key is replaced with the output of the unique arrangement 
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The present invention relates generally to an arrangement for transforming plaintext into the corresponding 
ciphertext in a digital data communications system, and more specifically to an arrangement for enciphering 
data blocks via Iterated computations wherein a key is renewed at each iteration. The arrangement disclosed 
Is also applicable to the reverse process of transforming ciphertext into the original plaintext 
5 In a data communications system, it Is a common practice to use cryptographic techniques in order to pre- 

vent an unauthorized person(s) from obtaining data. Plaintext to be transmitted is transformed into the corre- 
sponding ciphertext The plaintext can be reproduced from the ciphertext by using the exactly the same key 
used to encipher it. 

A cipher is a secret method of writing whereby plaintext (or deartext) is transformed into the corresponding 
10 ciphertext (sometimes called a cryptogram). The process is called encipherment or encryption, while the re- 
verse process of transforming ciphertext into the corresponding plaintext is called decipherment or decryption. 
Both encipherment and decipherment are controlled by a cryptographic key or keys. 

In 1977 the National Bureau of Standards of U.ST^ announced a Data Encryptk>n Standard (DES) to be 
used in unclassified U.S. Government applicatfons. DES enciphers 64-bit blocks of data with a 56-bit key. 
15 By way of example, known cryptographic techniques utilizing DES are disclosed in Japanese L^kJ-open 

Patent Applications Nos. 51-108701 and 51-108702 which were respedwely based on U.S. Patent Applk:ations 
Nos. 552.684 and 552.885 both filed February 24, 1975. 

Further. DES Is disclosed in detail In a paper entitled "Data Encryption Standard". Federal Information 
Processing Standards Publicatfon (FIPS PUB) 46-1. Supersedes FIPS PUB 41. 1977 January 15, Reaffirmed 
20 1 988 January 22, published by U.S. Department of Commerce. 

DES enciphers 64-bit blocks of data with a 56-bit key. The algorithm of DES, which is used both to encipher 
and decipher, is such that an input block is first transposed under an initial permutation IP. After has passed 
through 16 iterations of a cipher function, it is transposed under the Inverse of the initial permutation to gh^e 
a ciphertext 

25 The encipherment according to DES uses a common key which is prepared before encipherment and is 

fixed through encipherment Accordingly, this algorithm has encountered the problem that the cipher is some- 
what computationally vulnerable. 

It is an object of the present invention to provide a hardware arrangement for enciphering blocks of data, 
via a plurality of Iterations, using a key which is renewed each iteration. 

30 More specifically, an aspect of the present invention resides in a hardware arrangement for transforming 

plaintext into corresponding ciphertext using a first to n-th stages provided in tandem (where n is an integer 
more than three), each of said first to n-th stages performing a complex key-dependent computation and conv 
prising; a memory for storing a key; first means for transposing, using said key, a first bit block applied thereto 
from a preceding stage; second means for implementing an exclusive-or operation of output of said first means 

35 and a second bit block applied thereto from said preceding stage; and third means for transposing output of 
said first means using said key. said third means applying output thereof to said memory whereby said key is 
replaced with said output of said third means. 

Another aspect of the present inventton resides in a hardware arrangement for transforming plaintext Into 
corresponding ciphertext using a first to n-th stages provided in tandem (where n is an integer more than three), 

40 each of said first to n-th stages performing a complex key-dependent computation and comprising; a memory 
for storing a key; first means storing a plurality of first bit t>locks successhfely applied thereto from a preceding 
stage, said second means receiving said key from said memory and modifying said key using at least one of 
said first bit blocks stored, said second means outputting a modified key; second means for transposing, using 
said modified key, the first bit block applied thereto from the preceding stage; and third means for implementing 

45 an exclush/e-or operation of output of said second means and a second bit block applied thereto from said 
preceding stage. 

The features and advantages of the present invention will become more clearly appreciated from the fol- 
lowing descriptton taken In conjunction with the accompanying drawings In which like elements are denoted 
by like reference numerals and In which: 
50 Fig. 1 is a block diagram schematically showing a first embodiment of the present invention; 

Fig. 2 is a block diagram schematically showing one block of Fig. 1; 
^ Fig. 3 is a second emt>odlment of the present invention; and 

^ Fig. 4 is a block diagram schematically showing a third emt>odiment of the present inventbn. 

The present invention will be discussed in connection with the case where it is applied to the Data En- 
55 cryption Standard (DES). However, the application of the present invention to DES is merely exemplary and 
the present invention is in no way limited to such an application if a common key is used to encipher a plaintmt 
via iterations. 

Fig. 1 is a block diagram schematically showing the first embodiment of the present invention. 
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The first embodiment features that a cryptographic key, which controls each of complex key-dependent 
computation stages S1>S16, is renewed after completing a bit transpositk>n thereat. 

The first embodiment differs from the arrangement of DES in that each of the complex key-dependent 
computation stage S1-S1 6 of the first embodiment, is additionally provided with three components Mn, En and 
5 EX-An(n=1.2, .... 16). 

A key scheduling section 10 is supplied with a 64-bit initial key including 8 parity bits. The initial key applied 
to the key scheduling section 10 is first subjected to bit transposition using a permutation PC-1 (permuted 
choice) shown in Table 1 . The table, as well as the other permutation tables described later, should be read 
left-to-right, top-to-bottom. For example, the pemnutation PC-1 transposes B=bi, b2, .... b64 into Bp^bsj. b49, .... 
10 b4. 
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The permutation PC-1 discards the parity bits and transpose the remaining 56 bits as shown in the above 
Table 1. The result of the permutatk>n PC-1 is then split into two halves C and D of 28 bits each. The blocks 
C and D are then successively circularly shifted left to derive each key (suff be n denotes n-th iteration and 
n=1, 2, .... 16 in this case). The key schedule of left shifts is shown in Table 2. 
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Bit data Cn and Dn (n'^l, 2. .... 16) obtained through the left circular shifts, are then decreased in number 
from 56 bits to 48 bits via permutation PC-2 shown in Table 3. 
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5 



10 



15 



14 


17 


11 


24 


1 


5 


3 


28 


15 


6 


21 


10 


23 


19 


12 


4 


26 


8 


16 


7 


27 


20 


13 


2 


41 


52 


31 


37 


47 


55 


30 


40 


51 


45 


33 


48 


44 


49 


39 


56 


34 


53 


46 


42 


50 


36 


29 


32 



The operation of the key scheduling section 1 0 is well known in the art and hence further descriptions will 
be omitted for the sake of brevity. 

The 16 keys K^K^a thus obtained are respectively applied to the stages S1-S16 and stored in correspond- 
20 ing nr^emories Ml -Ml 6. 

As shown in Fig. 1, the stage S1 Includes, In addition to the memory Ml, a cipher functton circuit F1, an 
expanding permutation circuit El and an exdush^e-or gate EX1. The other stages S2-S16 each is configured 
in exactly the same manner as the stage S1 and thus, each of the counterparts is gh^en the same notation 
plus an iteratbn number. 

25 After the stages S1-1 6 have respectively stored the keys Ki-Ki6» an initial 64-bit block of a plaintext Is ap- 

plied to the arrangement of Fig. 1 and then first subjected to an initial permutation IP (Table 4) at a circuit 12. 
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After the initial block input of 64-bit is transposed under the initial permutation IR the 64-bit block is divided 
into two halves L and R of 32-bit each and then undergo 16 iterations of a cipher function f and exdusive-or 
operations. Let Tn (64 bits) denote the result of the n-th Iteration, and let Ln and R„ (each 32 bits) denote the 
left and right haves of Tn, respectively. Then, 

1^ = 1^.^ + f(R„.i,KJ 
where + depicts the exciusive^or operation. 

Fig. 2 Is a sketch of the hardware arrangement Implementing the cipher function f(Rfl.i, Kn). Rn.i Is first 
expanded to a 48-bit block, at an bit expanding circuit 14, using a bit selection table (Table 5). 
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15 

Subsequently, the exclusive-or of E{Rn. i) (viz., the output of the expanding permutation circuit 14) and Kn 
ts implemented at the exclusive-or gate 16 and the result broken into eight 6-bit blocks Bi, .... Bs which are 

respectively applied to eight selection (substitution) function circuits (S-boxes) Sq. These eight S-boxes 

circuits Si-Ss output respectively 4-bit blocks which are concatenated together, and the resulting 32-bit block 
20 is transposed by a permutation circuit 18 using Table 6. 

The operations of S-boxes SfSg are well known and disclosed in detail in the paper referred to in the open- 
ing paragraphs and hence will be omitted for the purpose of simplifying the disclosure. 
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In the following, merely for the convenience of descriptton, the operattons of the n-th stage Sn (n=1> 2 

1 6) are discussed. 

The 32-bit block outputted from the cipher function circuit Fn is applied to the EXn to whteh the bit block 
Ln is also applied. The EXn carries out an exclusive-or operation of the 32- bit block from Fn and the block U, 
and the result of the operation is applied to the next stage S(n'i'l) as a block Ri+i* 

As mentioned above, the f irst embodiment is to renew the key K„ (n=1 , 2, 16) after each transposition 
of data block at the corresponding stage Sn. To this end, the memory Mn, the expanding pemnutation circuit 
En and the exdusive-or circuit EX-An are provided in the stage Sn. 

The 32-bit block from the function circuit Fn Is expanded to a 48-bit block using the above mentioned Table 
5. Following this, the EX-An perfomis an exdusive-or operation of the 48-bit key Kn and the 48-bit block out- 
putted from En. Let the key Kn currently stored in the memory Mn denote Koid let a new key denote K,^, 
we have 

K„«. = Kcd + E(0)n 
wherein E(0)n depicts the output of the exclusive-or circuit EX-An. 

Thus, the key Kn (i==1, 2, 16) stored in the corresponding memory Mn can be renewed or replaced after 
i each transpositton of data block at the corresponding stage Sn is finished. 

The data block outputted from the last stage S16 is subjected to the inverse of the initial permutation using 
Table 7. Thus, a ciphertext can be obtained from the arrangement of Fig. 1. 
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As mentioned above, the key in each of the stages SI-SI 6 is subject to change after each iteration. Ac- 
cordingly, the ciphertext obtained from the first embodiment is computationally much more Infeasible to be 
broken as compared with the prior art. 
20 A second embodiment of the present invention will be discussed with reference to Fig. 3. The second em- 

bodiment is applied to DEC as in the first embodiment merely by way of example. Fig. 3 shows only one stage 

(viz., n-th stage (n-1, 2 16)) in that each of the other fifteen stages is arranged or configured in exactly 

the same manner as the n-th stage. 

The n-th stage Sn Includes a memory Mn\ two exdusive-or circuits EXn' and EX-Bn, a cipher function 
25 circuit Fn', an expanding permutation circuit En', and a memory 30(n), all of whtoh are coupled as shown. The 
cipher function Fn' and the exclusive-or circuit EXn' are essentially the sanie as the counterparts Fn and Exn 
of Fig. 1 . Further, the memory Mn* corresponds to Mn of Fig. 1, and the expanding permutation circuit En' op- 
erates in a manner identical to the counterpart En of Fig. 1 . 

In the second embodiment, the key Kn initially outputted from the key scheduling section 10 (Fig. 1) is re- 
30 tained in the memory Mn and is not subjected to any renewal as in the first embodiment 

The second eml>odiment Is advantageous especially In the case where the ciphertext is subject to bit errors 
during encipherment and/or during data transmission. In nnore specific terms, the key K„ initially applied is held 
in the memory Mn and hence, even if a bit error occurs at a given stage and/or during data transmission, the 
bit disturbance caused by the bit error can be restored In a very short time. 
35 The memory 30(n) includes two memory stages MSI and MS2 In this particular embodiment. The upper 

memory stage MSI stores the bit block E(0)-1 applied thereto from the expanding permutation circuit En at 
a given iteration. When the bit block E(0)-1 is stored in the memory stage MSI, the bit block which has been 
stored therein is transferred to the lower memory stage MS2. The bit transposition operation is controlled by 
the output (viz., key) of the exclusive-or circuit EX-Bn which is supplied with the key Kn and the previous output 
40 E(0)-2 of the expanding permutation circuit En'. 

At the next Iterated operation, the new bit block is stored in the memory stage MS1 as a new bit block E(0)- 
1. Thus, the okl bit block E(0)-1 Is transferred to the memory stage MS2 as a new bit bk>ck E(0)-2. The old 
bit block E(0)-2 is abandoned. Following this, the same operation Is repeated. 

The operations of the circuits Fn' and EXn' have been discussed In connection with the first embodiment 
45 and as such, further descriptbns thereof will be omitted. 

In Fig. 3, the memory 30(n) includes two memory stages MSI and MS2 in this particular case. However, 
the memory stages can be increased wherein the output of the circuit En' stored In the last stage is applied to 
the exclusive-or circuit EX-Bn. 

A third embodiment of the present inventton will be discussed with reference to Fig. 4. The third emt>odi- 
50 ment includes a memory 30(ny having three memory stages MSI , MS2 and MS3. Other than this, the third 
embodiment Is the same as the second embodiment 

As shown In Fig. 3, the exdush^or circuit EX-Bn' Is supplied with the three inputs from the memory 
i Mn' and the memory stages MS2 and MS3. According to the thM embodiment, a key applied to the cipher 
function circuit Fn' can be changed in a manner which renders nrK>re computatk>nally infeasible to break the 
55 cipher as compared with the second embodiment 
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Claims 

1 . A hardware arrangement for transforming plaintext Into corresponding ciphertext using a first to n-tli sta- 
ges provided in tandem (where n is an integer more than three), each of said first to n-th stages performing 

5 a complex Icey-dependent computation and comprising; 

a memory for storing a l^ey; 

first means for transposing, using said key, a first bit block applied thereto from a preceding stage; 
second means for implementing an exdusive-or operation of output of said first means and a sec- 
ond bit block applied thereto from said preceding stage; and 
10 third means for transposing output of saM first means using saki key, said third means applying 

output thereof to said memory whereby saki key is replaced with said output of said third means. 

2. A hardware anrangement as claimed in daim 1, wherein said thbxi means Includes: • 

fourth means, coupled to saki first means, for transposing the output of said first n^ans; and 
f5 fifth means, coupled to said menfK)ry and said fourth means, for implementing an exdusive-or op- 

eration of said key and said output of said fourth means. 

3. A hardware arrangement as dalmed in claim 1 or 2, wherein said plaintext is applied to said first stage 
after being subjected to an initial permutation, and wherein output of said n-th stage is subjected to the 

^ inverse of said initial permutatton for obtaining said ciphertext. 

4. A hardware arrangement for transforming plaintext into corresponding dphertext using a first to n-th sta- 
ges provided in tandem (where n is an integer more than three), each of said first to n-th stages performing 
a complex key-dependent computation and comprising; 

a memory for storing a key; 

first means storing a plurality of first bit blocks successively applied thereto from a preceding stage, 
said second means receiving said key from saki memory and modifying said key using at least one of 
saki first bit blocks stored, said second means outputting a modified key; 

second means for transposing, using said modified key, the first bit block applied thereto from the 
preceding stage; and 

third means for implementing an exdusive-or operation of output of said second means and a sec- 
ond bit block applied thereto from said preceding stage. 

5. A hardware arrangement as daimed in daim 4, wherein said first means indudes: 

fourth means for transposing said first bit blocks applied thereto; 
^ fifth means, coupled to said fourth means, for storing outputs of saM fourth means; and 

sixth means for implementing an exclusive-or operation of saki key and at least one of said first 
bit blocks stored in said fifth means. 

6. A hardware arrangement as daimed In claim 4 or 5, wherein said plaintext is applied to said first stage 
^ after being subjected to an initial permutation, and wherein output of said n-th stage is subjected to the 

inverse of saki initial permutatk>n for obtaining said ciphertext 
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FIG. 3 
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@ Hardware arrangement for enciphering bit blocks while renewing a key at each iteration. 



@ A plaintext is enciphered using a plurality of 
stages in tandem via a plurality of iterations. 
Each of the stages is arranged to perform a 
complex keyndependent computation. The 
stage includes a mem<wy for storing a key. A 
cipher function circuit transposes, using the 
key, one block applied to the stage from a 
preceding stage. An exdusive-or circuit imple- 
ments an exclusive- or operatton of the output 
of the cipher functbn and the other block 
applied to the stage from the preceding stage. A 
unique arrangement Is provided for transposing 
the output of the cipher function circuit and 
then applying the output thereof to the memory. 
Therefore, the key is replaced with the output of 
the unique arrangement 



FIG.1 

PLAINTEXT 

i initial permut ation | 
^Jmt 



INrTlAL 



32-bit 




5 



CO 

<0 



Q. 
UJ 



-64-bit 



-10 



SI 6 




EX16 

INVERSE INmAL PERM | 



13 



T 



CIPHERTEXT 



Jouve, 18, rue SabiKtenis, 75001 PARIS 



BP 0 618 701 A3 



European Patcot 
Oflice 



EUROPEAN SEARCH REPORT 



ApptlailM Number 



DOCUMENTS CONSIDERED TO BE RELEVANT 



EP 94103809.3 



Catecory 



Ciution af d ac Mwn t affth jatfca^aa, iriwre apprapriate, 
af rclcvapt p atii gca 



Rdevaot 
ta dalm 



OASSIFICATION OF THE 
APPUCATION (tot, g. 6/ 



US - A - 3 962 539 
(EHRSAM) 

* Abstract * 

US - A ~ 3 958 081 
(EHRSAM) 

* Abstract * 

US - A ~ 4 316 055 
(FBISTEL) 

* Abstract * 

EP - A - 0 221 538 
(NIPPON TELEGRAPH) 

* Abstract * 



H 04 L 9/06 
H 04 K 1/00 



TECHNICAL FIELDS. 



.CL6) 



H 04 L 9/00 
H 04 K 1/00 



The present seareb report has been drawn up for all dairas 



FIbcc of HmJk 

VIENNA 



31-01-1995 



KUNZE 



3 

i 

z 

K 

o 

2 



CATEGORY OF aiEO DOCUMENTS 

X : particslaHy nlevaet if laktn aion* 

Y : partlcalarly rvtevaot if a»mbiacd with Bnoiher 

rfocomeni of the same category 
A : tecboolo^cil backcrooad 
O : oDD-writtcn disclowre 
P : intermedbte dooHncRi 



T : tbcocy or principle vodcrlyfiis the litvestioa 
E : earlier paictN doconMal, but pttblbhcd oa, or 

after tb« filing tfate 
D : doatmcni died la ihe appUcalton 
L : doca Belli died for ocber reasons 

A : member of tbo same patent fanlly, corresponding 
docnmcBi 



2 



BLANK PAGE 



